Anticipate onScriptDisabled surrogates to first script-src 'none' CSP violation.

Author: hackademix

src/content/content.js

@@ -87,7 +87,10 @@ window.addEventListener("pageshow", notifyPage);
 let violations = new Set();
 window.addEventListener("securitypolicyviolation", e => {
   if (!e.isTrusted) return;
-  let type = e.violatedDirective.split("-", 1)[0]; // e.g. script-src 'none' => script
+  let {violatedDirective} = e;
+  if (violatedDirective === `script-src 'none'`) onScriptDisabled();
+
+  let type = violatedDirective.split("-", 1)[0]; // e.g. script-src 'none' => script
   let url = e.blockedURI;
   if (!(url && url.includes(":"))) {
     url = document.URL;
@@ -120,8 +123,7 @@ ns.on("capabilities", () => {
       })();
     }
 
-    if (document.readyState !== "loading") onScriptDisabled();
-    window.addEventListener("DOMContentLoaded", onScriptDisabled);
+    onScriptDisabled();
   }
 
   notifyPage();

src/content/onScriptDisabled.js

@@ -1,4 +1,9 @@
 function onScriptDisabled() {
+  if (document.readyState === "loading") {
+    window.addEventListener("DOMContentLoaded", e => onScriptDisabled());
+    return;
+  }
+  onScriptDisabled = () => {};
   let refresh = false;
   for (let noscript of document.querySelectorAll("noscript")) {
     // force show NOSCRIPT elements content